This document describes how to recover the enable
password and the enable secret
passwords. These passwords protect access to privileged EXEC and configuration
modes. The enable password password can be
recovered, but the enable secret password is
encrypted and must be replaced with a new password. Use the procedure described
in this document in order to replace the enable
secret password.

The enable password or the enable-secret
password is stored in the startup configuration file in the
nonvolatile RAM (NVRAM). The password recovery procedure requires that you boot
the router and ignore the startup configuration file in the NVRAM. In order to
boot the router and ignore the startup configuration file, set the 6th bit in
the configuration register. The router boots with the default configuration and
all the interfaces in "shutdown" state.

Since the default configuration does not have a password, anyone can
enter enable mode on the router. In order to return the router to the original
configuration, the startup configuration file can be copied into the router
memory. If you are already in the enable mode, you can either view or change
the enable password, but you can only change the
enable secret password because it is always encrypted in the
show commands. This document describes this
procedure.

Note: Password recovery procedures cannot be performed through a Telnet
connection.

If you can access the router, type show
version at the prompt, and record the configuration register
setting. See Example of Password Recovery
Procedure in order to view the output of a show
version command.

Note: The configuration register is usually set to 0x2102 or 0x102. If
you can no longer access the router (because of a lost login or TACACS
password), you can safely assume that your configuration register is set to
0x2102.

Use the power switch in order to turn off the router, and then turn
the router back on.

Press Break on the terminal keyboard within 60
seconds of power up in order to put the router into ROMmon.

The show running-config and
write terminal commands show the configuration of
the router. In this configuration, the shutdown
command appears under each interface, which means all interfaces are currently
shutdown. Also, the passwords display either encrypted or unencrypted.

Type configure terminal, and make the
changes.

The hostname(config)# prompt
appears.

Type enable secret
<password> in order to change the
enable secret password.

Issue the no shutdown command on every
interface that is used. If you issue a show ip interface
brief command after you exit configuration mode, every interface
that you want to use displays up up.

Type config-register 0x2102 (or use the
value you recorded in step 4).

This step causes the router to load the Cisco IOS software from the
Flash with the configuration from NVRAM at the next reload.

Press CTRL + Z in order to leave the configuration
mode.

The hostname# prompt appears.

Type write memory or copy
running-config startup-config in order to commit the changes.

Type Reload in order to restart the
router and force the Cisco IOS software to boot from the
Flash.

This section provides an example of the password recovery procedure.
This example uses a Cisco 2500 Series Router. Even if you do not use a Cisco
2500 Series Router, this output provides an example of what you should
experience on your product.

This output from the show running-config
command shows that enable password is configured.
You can complete password recovery as shown in this example.

Router#show running-config!--- This command can be used to view the unencrypted password.
Building configuration...
Current configuration : 431 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password XxXxXx!--- Here the password is plain clear text. We can either maintain
!--- the same password or replace with a new password for security reasons.
!--- Output Suppressed.

After you recover or replace the password, you must reset the
configuration register value to 0x2102, which was changed
earlier in the procedure to 0x2142 in order to ignore the
startup configuration and boot the router. In order to verify the configuration
register value, issue the show version
command.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-register 0x2102!--- The config-register is changed back to load the router
!--- with NVRAM configuration.
Router(config)#^Z
00:03:20: %SYS-5-CONFIG_I: Configured from console by console

When you issue the config-reg 0x2102
command, the new configuration register value is not immediately applied. The
new value is applied only after the router is reloaded. The show
version command shows the current value (0x2142) and the value
that will be applied after the next reload (0x2102).